Type of Authentication

You can select an authentication method based on your target: a web application or an API endpoint.

Web Application Authentication

Form AuthenticationForm Authentication

If you want to authenticate to a form on the web application you need to supply username and password credentials. Form authentication typically passes the username and password within a POST to the application framework. If the application framework is on the same domain, use the Standard Login option. If the application framework handling the authentication is on another domain, you must provide crawl access to this domain via the "Explicit URLs to Crawl" setting within your web application settings.

These types of form authentication are supported:

- HTML form-based authentication (standard login)

- Custom form fields. For details, see Custom Authentication.

- Selenium script uploaded from your file system

Form Authentication using SeleniumForm Authentication using Selenium

For more complex form authentication use the Selenium Script option. Record the authentication process in a Selenium script and upload the script to your authentication record. At scan time we'll play back the script to authenticate to the form.

For details, see Use Selenium Script.

Server AuthenticationServer Authentication

For server authentication you'll need to provide server authentication credentials within a Server Record. Server authentication is handled within the HTTP headers. Selenium scripts cannot be configured to do server authentication.

These types of server authentication are supported:

- Basic

- Digest

- NTLM

API Authentication 

Bearer TokenBearer Token

If you want to authenticate your Swagger/Open API file using a Bearer Token, you will need to provide a valid token value. Enter the token details to create a Bearer Token authentication record. This record is used to authenticate your Swagger/Open API file at the time of scanning.

API KeyAPI Key

If you want to authenticate your Swagger/Open API file using an API Key, you will need to provide the key name and its value. Select where the key should be sent (header or query parameter) and enter the details to create an API Key authentication record. We will use this record to authenticate your Swagger/Open API file at the time of scanning.

OAuth2 AuthenticationOAuth2 Authentication

If you want to authenticate Swagger/Open API file using OAuth2, you will need to select one of the four OAuth2 grant types. Select a grant type and enter the details to create an OAuth2 authentication record. We will use this record to authenticate your  Swagger/Open API file at the time of scanning.

These grant types are supported:

- Authorization Code

- Implicit

- Client Credentials

- Resource Owner Password Credentials

OAuth2 Authentication using SeleniumOAuth2 Authentication using Selenium

Selecting "Authorization Code" or "Implicit" grant types requires you to upload a valid Selenium script. Record the authentication process in a Selenium script and upload the script to your authentication record. At scan time we'll play back the script to authenticate to the API server.

For details, see Use Selenium Script.

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: June, 2026